Thanks for your suggestion. This is what the currect setup. If i put the /30 address for outside interface and /29 on the inside, what about the LAN? Do i need an additional router? can i replace the PIX with something like the cisco ISR ? Thanks.

[internet]------ [dsl modem]--/28--------/28-- [pix firewall]-----/24-- NAT'ed ------ [LAN] 192.168.1.0/24

Comcast Dedicated Etherenet terminated on RJ45 port

[internet]------[ comcast switch ]------[ ??????? ]------ [pix firewall]-----/24-- NAT'ed ------ [LAN] 192.168.1.0/24

Your follow up question raises more questions which depend on knowledge of your environment - but you have not provided any knowledge of your environment. You have given two rough drawings but neither of them correspond to what you describe in the original post.

The original post talks about a /30 and a /29. But the first illustration shows a /28 and a /24. The second shows no detail about the outside and a /24 on the inside. But neither of these is the /30 and /29 that you ask about in the original post. So what is your environment? And what is your real environment?? Until you give us consistent and reliable information how can we give you good answers???

HTH

Rick

Rick, sorry for the confusion. i hope the following explanation will help to clarify my question.

For the new dedicated internet from Comcast. They terminated the connection on a Ciean 3930 switch and provided the follwing IP address.  (ip below for explanation only, not actual ip address)

1.1.1.140 /30  assign to layer 3 device

1.1.1.141  = gateway

customer usable IP block & subnet mask

1.1.1.152 / 29

255.255.255.248 subnet

I tested the ip 1.1.1.140 with a laptop and it is able to access internet but not with the /29 ip address.

the Comcast tech told me i need to set a route from /30 to /29. For this part i don't understand. Do I need an additional router between the Ciean switch and the Cisco PIX? or can I reconfigure my PIX firewall with the new IP address?

Thank you. The additional explanation is helpful. Based on the additional information I believe that the suggestion that I made in my first response would work and would accomplish what you need. You would configure the outside interface of the PIX using 1.1.1.140 with a /30 mask. You would configure a default route out the outside interface with next hop of 1.1.1.141. You could configure the inside interface of the PIX with 1.1.1.153 with the /29 mask. This should work using both address ranges on the PIX.

It could also be possible to use some private address on the inside interface of the PIX and to use 1.1.1.152 as a pool of addresses for address translation.

Both of the results of your testing are the expected results. When you connect a laptop using address 1.1.1.140 you have connectivity because you have put the outside address on a layer 3 device and it has connectivity using 1..1.1.141 as its gateway. But when you connect the laptop to the connection and use address 1.1.1.152 it does not have connectivity because Comcast is set up to route to that subnet using 1.1.1.140 as the next hop to get there. It should not work when it is directly connected.

HTH

Rick